GNU bug report logs - #28602
Unpack fails with no error message when using a .zip source

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28602 in the body.
You can then email your comments to 28602 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: nee <nee <at> cock.li>
To: bug-guix <at> gnu.org
Subject: Unpack fails with no error message when using a .zip source
Date: Mon, 25 Sep 2017 22:10:19 +0200

Hello,

right now unpacking .zip sources only works when unzip is added as
native input. That's all right, but there is no error message, just:

starting phase `unpack'
phase `unpack' failed after 0.0 seconds

It should say something like:

starting phase `unpack'
Archive with .zip suffix failed to unpack. Please add unzip as
native-input to the package, e.g. (native-inputs `(("unzip" ,unzip)))
phase `unpack' failed after 0.0 seconds

I tested this in the cmake-build-system

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Adonay Felipe Nogueira <adfeno <at> hyperbola.info>
To: bug-guix <at> gnu.org
Subject: Re: bug#28602: Unpack fails with no error message when using a .zip
 source
Date: Wed, 04 Oct 2017 15:17:13 -0300

Does the .zip file have a a single directory on the root?

If not, then we can call it a zipbomb/tarbomb. These bombs are bad
because they can replace things without notice, and can be very
difficult to track what was added. Last time I checked Guix expects only
a single directory in the root of the file --- this might have changed,
but I didn't test it since one year ago.

nee <nee <at> cock.li> writes:

> Hello,
>
> right now unpacking .zip sources only works when unzip is added as
> native input. That's all right, but there is no error message, just:
>
> starting phase `unpack'
> phase `unpack' failed after 0.0 seconds
>
> It should say something like:
>
> starting phase `unpack'
> Archive with .zip suffix failed to unpack. Please add unzip as
> native-input to the package, e.g. (native-inputs `(("unzip" ,unzip)))
> phase `unpack' failed after 0.0 seconds
>
> I tested this in the cmake-build-system

-- 
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
  gratis).
- "WhatsApp"? Ele não é livre. Por favor, use o GNU Ring ou o Tox.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
  Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
  GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
  (apenas sem DRM), PNG, TXT, WEBM.

Message #11 received at 28602 <at> debbugs.gnu.org (full text, mbox):

From: nee <nee <at> cock.li>
To: 28602 <at> debbugs.gnu.org
Subject: Re: bug#28602: [PATCH] guix: gnu-build-system: warn about missing
 unzip input unzip
Date: Mon, 9 Oct 2017 23:00:29 +0200

[Message part 1 (text/plain, inline)]

Hello here is a patch to fix this bug. It changes the gnu-build-system,
so the hashes of almost all packages will also change. I guess
core-updates is the right branch for this.

[0001-guix-gnu-build-system-warn-about-missing-unzip-input.patch (text/x-patch, attachment)]

Message #14 received at 28602 <at> debbugs.gnu.org (full text, mbox):

From: nee <nee <at> cock.li>
To: Adonay Felipe Nogueira <adfeno <at> hyperbola.info>
Cc: 28602 <at> debbugs.gnu.org
Subject: Re: bug#28602: Unpack fails with no error message when using a .zip
 source
Date: Mon, 9 Oct 2017 23:05:02 +0200

Am 04.10.2017 um 20:17 schrieb Adonay Felipe Nogueira:
> Does the .zip file have a a single directory on the root?
> 
> If not, then we can call it a zipbomb/tarbomb. These bombs are bad
> because they can replace things without notice, and can be very
> difficult to track what was added. Last time I checked Guix expects only
> a single directory in the root of the file --- this might have changed,
> but I didn't test it since one year ago.

Hello, this is a different problem. Tarbombs are still a problem, but
unrelated to this.

The gnu-build-system does not have unzip by default. If a package's
source comes in a zip the package must have unzip as native-input. If it
isn't the (system* "unzip" source) call in the unpack function will fail
because there is no unzip executable.

Happy hacking!

Message #19 received at 28602 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: nee <nee <at> cock.li>
Cc: 28602 <at> debbugs.gnu.org
Subject: Re: bug#28602: Unpack fails with no error message when using a .zip
 source
Date: Mon, 05 Jul 2021 13:46:26 +0200

Hi,

Thanks for the patch and sorry for the delay.

On Mon, 09 Oct 2017 at 23:00, nee <nee <at> cock.li> wrote:
> Hello here is a patch to fix this bug. It changes the gnu-build-system,
> so the hashes of almost all packages will also change. I guess
> core-updates is the right branch for this.
>
>>From 089b9741a734f0682a671df6c0c36dfefcbd407c Mon Sep 17 00:00:00 2001
> From: nee <nee.git <at> cock.li>
> Date: Mon, 9 Oct 2017 22:49:12 +0200
> Subject: [PATCH] guix: gnu-build-system: warn about missing unzip input during
>  unpack.
>
> ---
>  guix/build/gnu-build-system.scm | 17 ++++++++++++++++-
>  1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
> index e37b75140..c16d15964 100644
> --- a/guix/build/gnu-build-system.scm
> +++ b/guix/build/gnu-build-system.scm
> @@ -67,6 +67,21 @@ See https://reproducible-builds.org/specs/source-date-epoch/."
>                      #f
>                      dir))
>
> +(define (unzip filepath)
> +  "Unzip archive file.
> +Warn the user when unzip fails and the executable is not present."
> +  (define exit-code (system* "unzip" filepath))
> +  (define program-not-found-code 32512)
> +  (cond ((zero? exit-code) #t)
> +        ((eqv? exit-code program-not-found-code)
> +         (format (current-error-port)
> +                 "warning: Archive with .zip suffix failed to unpack.
> +Please add unzip as native-input to the package,
> +e.g. (native-inputs `((\"unzip\" ,unzip)))")
> +         (newline (current-error-port))
> +         #f)
> +        (else #f)))

Give a look at 'invoke' from (guix build utils).

>  (define* (set-paths #:key target inputs native-inputs
>                      (search-paths '()) (native-search-paths '())
>                      #:allow-other-keys)
> @@ -154,7 +169,7 @@ working directory."
>                            #:keep-mtime? #t)
>          #t)
>        (and (if (string-suffix? ".zip" source)
> -               (zero? (system* "unzip" source))
> +               (unzip source)
>                 (zero? (system* "tar" "xvf" source)))
>             (chdir (first-subdirectory ".")))))

After 9a87649c863e1ff8b073b356875eb05eecedbcf7, this part uses 'invoke'.
Instead of your 'unzip', the exception raised by 'invoke' should be
catched and then should trigger the hint message.  WDYT?

All the best,
simon

Message #22 received at 28602 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: nee <nee <at> cock.li>
Cc: 28602 <at> debbugs.gnu.org
Subject: bug#28602: [core-updates] Unpack fails with no error message when
 using a .zip source
Date: Fri, 26 Nov 2021 02:49:04 +0100

Hi,

This patch [1] had been submitted in 2017 and fallen in the cracks.  The
code below requires improvement and I am not convinced by the feature.
Therefore closing?

<http://issues.guix.gnu.org/issue/28602


On Mon, 05 Jul 2021 at 13:46, zimoun <zimon.toutoune <at> gmail.com> wrote:
> On Mon, 09 Oct 2017 at 23:00, nee <nee <at> cock.li> wrote:

>> Hello here is a patch to fix this bug. It changes the gnu-build-system,
>> so the hashes of almost all packages will also change. I guess
>> core-updates is the right branch for this.
>>
>>>>From 089b9741a734f0682a671df6c0c36dfefcbd407c Mon Sep 17 00:00:00 2001
>> From: nee <nee.git <at> cock.li>
>> Date: Mon, 9 Oct 2017 22:49:12 +0200
>> Subject: [PATCH] guix: gnu-build-system: warn about missing unzip input during
>>  unpack.
>>
>> ---
>>  guix/build/gnu-build-system.scm | 17 ++++++++++++++++-
>>  1 file changed, 16 insertions(+), 1 deletion(-)
>>
>> diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
>> index e37b75140..c16d15964 100644
>> --- a/guix/build/gnu-build-system.scm
>> +++ b/guix/build/gnu-build-system.scm
>> @@ -67,6 +67,21 @@ See https://reproducible-builds.org/specs/source-date-epoch/."
>>                      #f
>>                      dir))
>>
>> +(define (unzip filepath)
>> +  "Unzip archive file.
>> +Warn the user when unzip fails and the executable is not present."
>> +  (define exit-code (system* "unzip" filepath))
>> +  (define program-not-found-code 32512)
>> +  (cond ((zero? exit-code) #t)
>> +        ((eqv? exit-code program-not-found-code)
>> +         (format (current-error-port)
>> +                 "warning: Archive with .zip suffix failed to unpack.
>> +Please add unzip as native-input to the package,
>> +e.g. (native-inputs `((\"unzip\" ,unzip)))")
>> +         (newline (current-error-port))
>> +         #f)
>> +        (else #f)))
>
> Give a look at 'invoke' from (guix build utils).
>
>>  (define* (set-paths #:key target inputs native-inputs
>>                      (search-paths '()) (native-search-paths '())
>>                      #:allow-other-keys)
>> @@ -154,7 +169,7 @@ working directory."
>>                            #:keep-mtime? #t)
>>          #t)
>>        (and (if (string-suffix? ".zip" source)
>> -               (zero? (system* "unzip" source))
>> +               (unzip source)
>>                 (zero? (system* "tar" "xvf" source)))
>>             (chdir (first-subdirectory ".")))))
>
> After 9a87649c863e1ff8b073b356875eb05eecedbcf7, this part uses 'invoke'.
> Instead of your 'unzip', the exception raised by 'invoke' should be
> catched and then should trigger the hint message.  WDYT?

Cheers,
simon

Message #25 received at 28602 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: nee <nee <at> cock.li>
Cc: 28602 <at> debbugs.gnu.org
Subject: Re: bug#28602: Unpack fails with no error message when using a .zip
 source
Date: Tue, 04 Jan 2022 23:55:40 +0100

Hi,

On Fri, 26 Nov 2021 at 02:49, zimoun <zimon.toutoune <at> gmail.com> wrote:

> This patch [1] had been submitted in 2017 and fallen in the cracks.  The
> code below requires improvement and I am not convinced by the feature.
> Therefore closing?
>
> <http://issues.guix.gnu.org/issue/28602

If no answer before the next release [1], I will close it.


1: <https://lists.gnu.org/archive/html/guix-devel/2022-01/msg00055.html>

Cheers,
simon

Message #30 received at 28602-done <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: nee <nee <at> cock.li>
Cc: 28602-done <at> debbugs.gnu.org
Subject: Re: bug#28602: Unpack fails with no error message when using a .zip
 source
Date: Wed, 23 Mar 2022 11:37:28 +0100

Hi,

On Tue, 04 Jan 2022 at 23:55, zimoun <zimon.toutoune <at> gmail.com> wrote:
> On Fri, 26 Nov 2021 at 02:49, zimoun <zimon.toutoune <at> gmail.com> wrote:
>
>> This patch [1] had been submitted in 2017 and fallen in the cracks.  The
>> code below requires improvement and I am not convinced by the feature.
>> Therefore closing?
>>
>> <http://issues.guix.gnu.org/issue/28602
>
> If no answer before the next release [1], I will close it.

Well, 11 weeks later without an answer, I am closing.

Cheers,
simon

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.